Ransomware Targets Healthcare Sector

When we develop threats predictions at McAfee, I personally like to conduct some proper research and base my statements on indicators of what we have seen in the field and what we believe will increase in the next six to 12 months.

In the McAfee Labs 2016 Threats Predictions, we stated that ransomware would increase. Just six weeks into the year, we have seen massive campaigns spreading new versions of TeslaCrypt and CryptoWall Version 4. Also we have seen multiple new sites surfacing that employ ransomware-as-a-service—offering the easy creation of ransomware and tracking the payments of victims.

For some of our predictions, we wish they would not result in a real-world attack. Unfortunately, that’s not the case. The second part of our ransomware predictions was that targeted attacks with ransomware would harass certain sectors.

This week we learned that a hospital in Hollywood, California, was impacted by a ransomware campaign. Their network was down for more than a week along with the loss of email and patient data. Normally cybercriminals ask between US$200 and $500 to restore files. In this particular case, however, they demanded $3.6 million, a possible indicator of a ransomware campaign that was not at all random. Other sources reported more healthcare victims of ransomware this week.

In hospitals, computers from different departments are interconnected and share the data from patients, x-rays and CT scans. These systems are often not segmented in different networks or security zones. The moment the data on these systems is encrypted by ransomware, daily operations come to a halt because parts of the chain are no longer available. Not only ransomware, but also a random malware infection can cause a lot of damage. When working with McAfee’s Foundstone incident response team, I remember a few cases in which we had malware infections in hospitals around the globe. The biggest challenge we had was to clean medical devices, usually running an old version of an embedded operating system. We sometimes ended up with command-line tools and custom configuration files to clean those devices of malware.

Not all hospitals have the budget for a dedicated information security staff to secure and monitor the network. The priority is to keep the systems available 24/7/365. However, some basic security principles concerning network architecture and protecting sensitive data (including backups) should be in place. For example, medical devices with an embedded outdated operating system should never be allowed to connect to the Internet. They belong in a segmented and separated network zone, dedicated to a hospital department and with access rules that regulate their connection between these zones.